b'                                Report In Brief\n                                       U.S. Department of Commerce, Office of Inspector General\n                                                            January 2010\n\nWhy We Did This Review National Oceanic and Atmospheric Administration (NOAA)\nThe Federal Information\nSecurity Management Act of\n2002 (FISMA) requires federal     FY 2009 FISMA Assessment of the Environmental\nagencies to identify and provide Satellite Processing Center (ESPC) (OAE-19730)\nsecurity protection of\ninformation collected or         What We Found\nmaintained by them or on their\nbehalf. Inspectors general are\nrequired to annually evaluate    Our objectives for this review were to determine whether (1) implemented\nagencies\xe2\x80\x99 information security controls adequately protected the system and its information, (2) continuous\nprograms and practices. Such     monitoring is keeping the authorizing official sufficiently informed about the\nevaluations must include testing operational status and effectiveness of security controls, and (3) the certification\nof a representative subset of    and accreditation (C&A) process produced sufficient information about remain-\nsystems and an assessment,       ing system vulnerabilities to enable the authorizing official to make a credible,\nbased on that testing, of the    risk-based accreditation decision.\nentity\xe2\x80\x99s compliance with\nFISMA and applicable require- We found that the National Environmental Satellite, Data, and Information\nments.                           Service has not followed the required process for C&A of ESPC. The lack of\n                                     proper security planning undermined the effectiveness of the system\xe2\x80\x99s security\nThis review covers our               certification, hindering the authorizing official in making a credible risk-based\nevaluation of NOAA\xe2\x80\x99s ESPC,           accreditation decision. The system\xe2\x80\x99s plan of action and milestones for remediat-\nwhich is one of a sample of sys-     ing vulnerabilities is ineffective.\ntems we assessed in FY 2009.\n\nBackground\nESPC is NOAA\xe2\x80\x99s primary pro-\ncessing system for the nation\xe2\x80\x99s\nenvironmental satellite data.     What We Recommend\nESPC ingests, processes, distrib-\nutes, and archives data from two\nenvironmental and meteorologi-\n                                  We recommend that NOAA complete            security planning activities, conduct\ncal satellite systems.\n                                     appropriate security control assessments, and address system deficiencies.\n                                     Until these activities have been completed, NOAA should revise the system\xe2\x80\x99s\nC&A is a process by which\n                                     accreditation status to an interim authorization to operate.\nsecurity controls for IT sys-\ntems are assessed to determine\n                                     In its response to our draft report, NOAA disputed our findings and concurred\ntheir overall effectiveness.\n                                     with only two of our recommendations. NOAA does agree that ESPC\xe2\x80\x99s\nUnderstanding the remaining\n                                     security posture must improve. We have asked NOAA to reconsider its\nvulnerabilities identified during\n                                     response based on our comments in this report and craft its action plan, due in\nthe assessment is essential in\n                                     60 days, accordingly.\ndetermining the risk resulting\nfrom the use of the system to the\norganizations\xe2\x80\x99s operations and\nassets, to individuals, to other\norganizations, and to the nation.\nContinuous monitoring is a\ncritical post-accreditation aspect\nof this process.\n\x0c'